Clickjacking Revisited A Perceptual View of UI Security Devdatta - - PowerPoint PPT Presentation

Clickjacking Revisited

A Perceptual View of UI Security

Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University of California, Berkeley

Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives

(wikipedia)

Five novel clickjacking attacks that bypass current defenses Evaluation with 250 users on MTurk Today

Attack Setup

• Attacker wants to trick user into clicking a button, in
• ur case, the Facebook like button
• Attacker convinces user to play a game on attacker

controlled webpage

• Attacker can frame the Facebook Like button, but has

no control over the FB display area/frame

• Attacker has full control of remaining display area

Attacker page

A successful attack (bypassing current defenses) requires the like button be fully visible for a noticeable amount of time (say ~500ms)

Destabilizing Pointer Perception

Video Demo

Player starts moving mouse Fake pointer starts moving to the left (red) Finally, close to the target, player corrects in a sudden motion, moving the real pointer towards right Player clicks Like button by mistake User keeps moving up and right (black), but fake pointer (red) stays left, confusing the user

Successful Attack

• One concern is the appearance of the real

pointer when it approaches the like button

– Attacker has no control over “Like” button frame

• Key Idea: distract the player’s attention with

lots of moving images

Real Attack

Attacking Peripheral Vision

Game Setup

Player must leave mouse at bottom

• f screen

But, watch main game area at top right

(a) time Sensor Blocks Player

pause (c) (b) (a) time Sensor Blocks Player

Motor Adaptation

Game Setup

Player presented with asteroid

Asteroid explodes when clicked Mineral produced at constant displacement Player must click

• n this mineral

for points

Once trained, put like button instead of mineral

Fast Motion Mislocalization

Game Setup

Player presented with asteroid with spinning arrow

When arrow stop, mineral shoots out Player must click on mineral for points

The Flash Lag Effect

• Flash lag is a visual illusion where a moving
• bject, at a particular instant, seems further

ahead than it actually is

• Brain predicts future displacement
• The player’s click is actually beyond the

mineral, but we still award points

After a few trials, put like button beyond mineral

Visual Cues and Click Timing

Game Setup

Negative points for clicking on grey asteroid Positive points for clicking on red asteroid

Move asteroid under a like button

Evaluation

Evaluation

Attack Name Number of subjects Success Rate (%) Destabilizing Pointer Perception 50 100 Peripheral Vision 49 51.02 Adaptation 46 28.26 Fast Motion Mislocalization 47 27.66 Visual Cue for timing 50 50

• MTurk study with 50 workers for each attack.
• Some subjects exited before completing the

exercise Attacks 2 through 5 work for touch devices too!

This is only a lower-bound …

• Our attacks are simple. Possible to

dynamically adapt the attack as user plays the games.

• Better models of pointer movement and click

prediction can improve success rates.

• Each attack targets a different limitation of

human perception. A combined attack likely to achieve 100% success.

Complex Attacks

• Human perception is a vast and well studied
• topic. Many more attacks possible.
• For example, Change Blindness:

– Well studied phenomenon in which user fails to notice difference in two images. – Attacker can switch in a like button and an appropriately primed user won’t notice.

More Attacks

Future Work

Future Work

• Secure UI design needs to take human

perception in account while designing interfaces

– Changes needed to specifications such as the UI Security specification

• Computer Vision based techniques (or machine

perception) could be key for defenses

• Designing a secure user interaction mechanism

critical for security

evil@berkeley.edu

questions?